DEV Community

Yash Sonawane
Yash Sonawane

Posted on

How to Secure Your EC2, S3 & RDS Like a DevOps Engineer πŸ”πŸš€

"Your AWS setup is only as strong as your weakest misconfiguration."

If you're just launching your first EC2 instance, uploading files to S3, or spinning up an RDS database β€” congratulations! You’re building on the cloud. But here’s a hard truth: 90% of security issues in AWS come from avoidable mistakes.

Today, I’ll show you how to secure your EC2, S3, and RDS like a DevOps engineer β€” even if you're brand new to cloud. No jargon. No overkill. Just real tips, relatable analogies, and actionable code snippets.

Let’s lock it down. πŸ›‘οΈ


πŸšͺ Step 1: Secure Your EC2 Like It's Your Front Door

Imagine EC2 as your house in the cloud. You wouldn’t leave your front door wide open, right?

βœ… What to Do:

  • Use key pairs for SSH access (never passwords!)
  • Restrict inbound traffic with Security Groups
  • Change the default SSH port (22) to something custom (e.g., 2222)
  • Use a bastion host or VPN for private instances

πŸ›‘ What to Avoid:

  • Opening ports to 0.0.0.0/0 unless absolutely needed (this means open to the world!)
  • Using root user for everyday tasks

πŸ” Example Security Group:

aws ec2 authorize-security-group-ingress \
  --group-id sg-01234abcde \
  --protocol tcp \
  --port 22 \
  --cidr 203.0.113.0/24
Enter fullscreen mode Exit fullscreen mode

This allows only your office/home IP to access the instance via SSH.


πŸ“¦ Step 2: Secure Your S3 Like a Vault (Not a Public Folder)

S3 is powerful β€” but dangerously easy to misconfigure.

Real-world fail: A dev uploads app logs with customer data to a public bucket. It gets scraped by bots in minutes.

βœ… What to Do:

  • Enable Block Public Access on all buckets
  • Use bucket policies to control access tightly
  • Enable S3 server-side encryption (SSE)
  • Use pre-signed URLs for temporary file access

πŸ”’ Example Bucket Policy (Read Only for Authenticated Users):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-secure-bucket/*",
      "Condition": {
        "Bool": {"aws:SecureTransport": "true"}
      }
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Pro tip: Use S3 access logs to track who accessed what, and when.


πŸ›’οΈ Step 3: Secure Your RDS Like a Fortified Database

Databases are prime targets for attackers. If you’re using RDS for MySQL, PostgreSQL, or Aurora, lock it down.

βœ… What to Do:

  • Keep your RDS inside a private subnet
  • Restrict access using Security Groups
  • Enable encryption at rest and in transit
  • Turn on automated backups and multi-AZ failover

πŸ”‘ IAM Authentication (Optional)

Use IAM users instead of native DB usernames/passwords β€” especially for short-lived apps or internal tooling.

aws rds generate-db-auth-token \
  --hostname mydb.cluster-xyz.us-east-1.rds.amazonaws.com \
  --port 3306 \
  --region us-east-1 \
  --username devuser
Enter fullscreen mode Exit fullscreen mode

Reminder: Don’t expose RDS to the internet unless absolutely necessary. Use a bastion host or AWS Systems Manager Session Manager.


🧠 Bonus Tips Across All Services

βœ… Tag your resources for better visibility & automation
βœ… Enable CloudTrail & GuardDuty for monitoring and anomaly detection
βœ… Rotate credentials and access keys regularly
βœ… Use IAM Roles, not long-term static credentials
βœ… Apply least privilege principles β€” don’t give broad access to anyone


🧠 TL;DR – The DevOps Security Checklist

Service What to Secure
EC2 SSH access, ports, IAM roles, key pairs
S3 Public access, bucket policies, encryption
RDS Network access, backups, encryption, IAM auth

πŸ’¬ Let’s Keep the Cloud Safe β€” Together

Every dev is responsible for cloud security. These aren't just best practices β€” they're habits that help you build trust with your users and clients.

πŸ‘‡ What’s one security tip YOU swear by? Ever had a close call?

Share your stories in the comments. Hit ❀️ if this helped you, and tag a friend who just launched their first AWS project!

Together, let’s build secure β€” and build smart. 🧑

Top comments (0)